Saucepan

User Tools

Site Tools

Trace: firewall-hardware multicast aws globalprotect_versions oracle
paloaltonetworks:vmseries:oracle

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:vmseries:oracle [2020/10/23 12:20] bstaffordpaloaltonetworks:vmseries:oracle [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Oracle Cloud ====== ====== Oracle Cloud ======
-===== VM Instances ===== +===== Troubleshooting ===== 
-Remember VM.Standard2.is limited to four network interfaces. One for MGMT and three for dataplane.+[[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPH5CAO|Here is the official troubleshooting guide]]. 
 +===== Creating VM =====
  
 +  * When you go to deploy the VM, you can only specify one interface. Make sure this is the management interface.
 +  * You can add the others later. You should not specify a public IP now as you will want to reserve it (static) which you can do once the VM is deployed and booted. By default, the boot volume is set to 60GB. You can increase this during the setup screen if you want more space for logs.
 +  * Go to advanced options and then networking to set the static private IP 10.0.0.4
 +  * Specify SSH public key using PuTTY.  [[https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/prepare-to-set-up-the-vm-series-firewall-on-oci.html|This link]] gives more data. (i.e. save the private key but make sure you copy the public key from the text displayed on the PUTTYGen window rather than just saving the public key.
 +  * You must supply bootstrap paremeters to the firewall even if you don't "normally " bootstrap
 +  * Click Show Advanced Options->Under User data-> select Paste cloud-init script
 +    * hostname=palo-fw-03
 +    * authocodes=V5756013
 +    * op-command-modes=jumbo-frame
 +  * Deploy and let the machine boot.
 +  * Create the public IP for MGMT and create the VNIC for public VPC (ethernet1/1) and VNIC for private VPC (ethernet1/2). Be sure to do it in that order. Don't forget to add a public IP to the public interface.
 +  * Reboot the machine.
 +  * Log in
 +  * configure
 +  * set mgt-config users admin password (it will then prompt you to type in the password).
 +  * Set ethernet1/1 and ethernet1/2 using the normal cloud system of two virtual routers. Next hop for external is 10.1.0.1.
 +  * When adding new VNIC, you will need to reboot the VM firewall for the firewall to detect the interfaces.
 +  * set system setting mgmt-interface-swap enable yes
 +
 +===== VM Instances =====
 +VM.Standard2.1 is limited to two network interfaces. One for MGMT and one for dataplane.
 +VM.Standard2.2 is limited to two network interfaces. One for MGMT and one for dataplane.
 +VM.Standard2.4 is limited to four network interfaces. One for MGMT and three for dataplane.
 VM.Standard2.8 is limited to eight network interfaces. One for MGMT and three for dataplane. VM.Standard2.8 is limited to eight network interfaces. One for MGMT and three for dataplane.
- 
-Since 2020, VM.Standard2.1 will also cover a VM-100 if needed. 
- 
  
 ===== PAYG Costs ===== ===== PAYG Costs =====
Line 15: Line 36:
  
 When clearning out a lab account, do not forget to got to Compute > Boot Columes and delete all instances. Otherwise you will be paying £5-£10 a month. When clearning out a lab account, do not forget to got to Compute > Boot Columes and delete all instances. Otherwise you will be paying £5-£10 a month.
 +
 +===== Security Policies =====
 +If you want the managment interfaces to ping each other, you must allow icmp in the ingress securty list for the MGMT subnet.
 +
 +
 +===== Health Probes =====
 +Create a public load balancer, set the VPC to public and the subnet to public-subnet. 
 +Then add both firewalls as the backend. However, this will only set the first two isntance
 +Specify that the listener is TCP as we don't want the load balancer to actually terminate the session.
 +E.G. specify 443
 +
 +Ensure below Health check config for the Load Balancer:
 +  * URL PATH (URI) is set to /php/login.php
 +  * Status Code is set to 200
 +After you specify the load balancer backends and create the load balancer, you need to edit the backend and add two more backends where you specify the IP address of the firewall interface rather than just specifying the instance. Specifying the instance just added the first interfaec IP (i.e. the mgmt IP). You need to add the correct data plane private IP and remove teh mgmtm ones.
  
 ===== HA ===== ===== HA =====
Line 21: Line 57:
 HA1 cannot use MGMT interface when MGMT interface is set to DHCP. You have to set the MGMT IP to be static. HA1 cannot use MGMT interface when MGMT interface is set to DHCP. You have to set the MGMT IP to be static.
 I also found that I had to go into the HA1 config, select MGMT and then select it from the drop down list (the preselected MGMT is somehow wrong). I also found that I had to go into the HA1 config, select MGMT and then select it from the drop down list (the preselected MGMT is somehow wrong).
 +
 +===== VPN =====
 +Oracle supports only the following parameters for phase-2 (when your office firewall connects VPN to Oracle VPN gateway).
 +  * **IPSec Protocol**: ESP
 +  * **Encryption**: aes-256-cbc
 +  * **Authentication**: sha1
 +  * **DH Group**: group5
 +  * **Lifetime**: 3600 secs
paloaltonetworks/vmseries/oracle.1603455622.txt.gz · Last modified: (external edit)